I'm trying to use regex in Painless script:
name: test
index: test-%Y.%m.%d
use_strftime_index: true
type: any
filter:
- query:
query_string:
query: '
(data.eventId: "4104"
AND _exists_: data.aux4)
OR (data.eventId: "4103"
AND _exists_: data.aux8)
OR (data.eventId: "800"
AND _exists_: (data.aux8 OR data.aux7))
'
- script:
script:
source: |
def _scriptBlock = '';
def test = /[a-z]/.matcher(doc["data.aux4.keyword"].value);
if (doc['data.eventId.keyword'].value.contains('4104')) {
_scriptBlock = doc['data.aux4.keyword'].value;
SB = 'data.aux4.keyword';
} else if (doc['data.eventId.keyword'].value.contains('4103')) {
_scriptBlock = doc['data.aux8.keyword'].value;
} else if (doc['data.eventId.keyword'].value.contains('800')) {
if(doc["data.aux8.keyword"].size()>0){
_scriptBlock = doc['data.aux8.keyword'].value;
}
else {
_scriptBlock = doc['data.aux7.keyword'].value;
}
}
return test.matches();
aggregation:
minutes: 1
aggregation_key:
- 'collector.organization'
- 'eventSource.location.host'
- 'subject.name'
out_es_index: test_ok
data.aux4 and other fields contains text data.
this script working, but there is no regex:
- script:
script:
source: |
def _scriptBlock = '';
def test = 'test';
if (doc['data.msgId.keyword'].value.contains('4104')) {
_scriptBlock = doc['data.aux4.keyword'].value;
} else if (doc['data.msgId.keyword'].value.contains('4103')) {
_scriptBlock = doc['data.aux8.keyword'].value;
} else if (doc['data.msgId.keyword'].value.contains('800')) {
_scriptBlock = doc['data.aux8.keyword'].value;
}
_scriptBlock.contains(test);
I'd tried to use .matches(), .find() - it didn't work. Using script filter because in future I'm going to add 40+ regex conditions in different fields.